Query Details
MDE Remote Image Loads
Query
# Remote Image Loads ## Query Information #### Description This query can be used to summarize the remote image loads to a (potentially) compromised domain. NOTE! For Unfied XDR and Sentinel the columns have not been deployed (yet), thus the query will fail. #### References - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/detect-compromised-rdp-sessions-with-microsoft-defender-for/ba-p/4201003 ## Defender XDR ```KQL let CompromisedDevice = "laptop.contoso.com"; let SearchWindow = 48h; //Customizable h = hours, d = days let Threshold = 50; // Customizable DeviceImageLoadEvents | where Timestamp > ago(SearchWindow) | where DeviceName == CompromisedDevice | where IsInitiatingProcessRemoteSession == 1 | summarize TotalEvents = count(), Commands = make_set(InitiatingProcessCommandLine) by InitiatingProcessRemoteSessionDeviceName, InitiatingProcessRemoteSessionIP, InitiatingProcessAccountUpn | where TotalEvents <= Threshold ``` ## Sentinel ```KQL let CompromisedDevice = "laptop.contoso.com"; let SearchWindow = 48h; //Customizable h = hours, d = days let Threshold = 50; // Customizable DeviceImageLoadEvents | where TimeGenerated > ago(SearchWindow) | where DeviceName == CompromisedDevice | where IsInitiatingProcessRemoteSession == 1 | summarize TotalEvents = count(), Commands = make_set(InitiatingProcessCommandLine) by InitiatingProcessRemoteSessionDeviceName, InitiatingProcessRemoteSessionIP, InitiatingProcessAccountUpn | where TotalEvents <= Threshold ```
Explanation
This query is designed to identify and summarize remote image loads on a potentially compromised device, specifically focusing on remote sessions. Here's a simplified breakdown:
- Target Device: The query is looking at a specific device, in this case, "laptop.contoso.com".
- Time Frame: It examines events that occurred within the last 48 hours (this can be customized).
- Event Threshold: It filters out any remote sessions that have more than 50 image load events (this threshold can also be customized).
- Remote Sessions: It specifically looks for image load events initiated by remote sessions.
- Summarization: The query summarizes the total number of image load events and collects the command lines used during these sessions, grouping them by the remote session device name, IP address, and user account.
The query will fail in Unified XDR and Sentinel environments if certain columns are not yet deployed.
Details
Bert-Jan Pals
Released: August 20, 2024
Tables
DeviceImageLoadEvents
Keywords
Devices
Operators
letagocountmake_setsummarizebywhere